WordPress Backup Plugin (BackWPup) – Highly Recommended

backWPupFor anyone running a WordPress site, having a database backup is a very nice thing to have.  This can be achieved through several different plugins, including one reviewed here previously — Better WordPress Security, now known as iThemes Security.  I’ve also written previously about using a shell script to for database backups, especially on 1and1.com.

But what about the physical files and content directories?  Those usually require an FTP account or more. I was recently shown BackWPup, which backups not only database files, but also your entire content directory.  It does it extremely well, and with many important options in the free version.  (The paid version offers more options and controls, but for most people, the free version alone will work just fine.)

For the non-techie crowd out there, it’s interface may seem a bit daunting at first perhaps, but it’s worth learning to use.  I’ll try to outline some settings we suggest you use, too.

Let’s Go Step By Step

  1. Go to the “Add New” link under plugins.
  2. Do a search for “BackWPup” and you should easily find the plug for safe installation via the WordPress admin.
  3. Install and activate the plugin.
  4. Once you’ve got it activated, you’ll have a couple of new menu options – one at the top of your admin page, the other in the admin below your “Settings” options.  (There may be other items in between depending on what else you’ve added — we have iTheme’s Security in our left navigation panel.)  Click the Settings option under BackWPup.
  5. You’ll now have a screen with tabs for General, Jobs, Logs, Network, API Keys, Information.
    • Let’s start with General. The default setup is probably fine for everyone with checks next to “Show BackWPup links in admin bar” and “Protect BackWPup folders with .htaccess and index.php”.
    • Jobs – Again, the default setup is probably fine, but I would recommend a couple of changes.  First, click the checkbox for “No translation.”  Next, given you are most likely on a shared server for your hosting, it’s more than polite to select one of the options for “Reduce server load.”  I set mine to “medium.”
    • Logs – If you have the ability of creating a directory above the root web level, it makes sense to put the logs there and not within the web accessible levels of your site.  If you can do this, change the path to the log file folder to this “upper” level.  I also only keep 3 to 5 log files in my folders.  I also recommend selecting the checkbox for “Compression.”
    • Network and API Keys are not likely items you’ll need to touch.
    • The Information tab can provide you with some details if you are having any problems with this plugin out of the box. (I’ve never needed it.)That covers the “Settings” option.  Let’s move to creating a “Job” now. 
  6. job-viewClick the “Add new job” option in the left nav.  This is where you’ll be doing the most amount of setup.  We have five tabs showing by default, but we will soon have a sixth.  I’ll explain as we go.  Let’s take this tab by tab, too.
    • General – First off, let’s give the job a name.  I also check the “Check database tables” checkbox but leave unchecked the “WordPress XML export.”    You’ll see another tab at the top now for “DB Check.”Under the Backup File Creation section, prepend the archive name with your site’s name perhaps.  If you are like me, you may have multiple sites backed up to the same backup directory above the web level.Now it is important to pick the right Job Destination.  I don’t want large files emailed to me, nor put to DropBox, FTP, etc.  Just store this bugger in a folder that is above the root level for the web server if possible.  Click the checkbox for “Backup to Folder” and when you do, yet another tab will be visible at the top of the section.Valdate the email addresses in the Log Files section are correct and click Save Changes.schedule
    • Schedule – I prefer to have the backup run nightly.  I select the option “with WordPress cron.” When selected, you can edit the default 3am time if you desire.
    • DB Backup – Leave things as they are here, but you may also want to select Gzip under “Backup file compression.”  I do.
    • Files – By default, the program doesn’t backup its own plugin folder.  If you are backing things up to a directory above the web root, you can deselect the checkbox for “backwpup” in the “Backup plugins” section.  I also select the option of excluding thumbnails and .tmp, .DS_Store files etc.  Leave selected the “Include special files” checkbox.
    • Plugins – I compress mine with Gzip.  There’s no use leaving the backup large in my view.

    repair-db

    • DB Check– I check the checkbox for “Try to repair defect table” as this is a safe thing to do and may save you some pain.
    • To: Folder – Because we are saving things to a folder, it’s important to select the destination and the number of backups to save.  Again, I put my backups above the web root level.  If you can do that, it’s more secure.  If not, the plugin does a good job of randomizing and providing a security through obscurity model.  I don’t keep 15 copies of my site though – only 3 to 5 depending on the size.Now to move on to running our first backup.
  7. Click “Jobs” under the Dashboard tab.  You should see a screen with the job you just created listed on it.
  8. Mouse over the name of the job and you’ll see options including a link to “Run Now” – click that!

  9. If you’ve configured things correctly, you’re backup will run and show you the progress along the way.  The Gzip process may take some time depending on the size of your site and files.  Note also that if you did as I suggested above and minimized the impact to the server resources, it will take longer to run, too.  My backups tend to take a minute to as much as 4 minutes to run for a very large site with many files.

That’s all you should need to do to safely backup your database and your content for your WordPress site.  Hat’s off to the developers at BackWPup for their excellent work!

In a future post, I’ll show how to take a backup file and either restore a site, or use it to move to a new host.

iThemes Security – A must have

iTheme Security Pro Earlier I wrote about a plugin for WordPress I found to be extremely valuable – Better WP Security.  Specifically, its ability to block brute force attacks against simpler passwords and username combinations.  This was a major threat to all WordPress sites almost a year ago.

Since then, there have been many updates to the Better WP Security plugin, and the developer has also been hired by iThemes to continue his development (and monetize the plugin’s advanced features).  This is great news really as the free version of the plugin is excellent and there are now a wider range of paid advanced features many web developers and site administrators should consider using, now.  The plugin is more robust than it was even; no small task for a developer starting with what already seemed to me to be a full featured security plugin.

If you are still on the older Better WP Security plugin, before you update, deactivate the older version of the plugin.  Failing to do this can make your site inaccessible as there are conflicts in the features and the plugin’s ability to update them when active.  Once you’ve updated to the iTheme’s version, you simply need to reactivate the plugin and check to see what new options are available that you should consider including in your site’s security features.

If you failed to deactivate the plugin, you’ll need to move the plugin directory for Better WP Security out of your site’s plugin folder and perhaps remove any updates the plugin did to your htaccess file.  Once you do that, you should be able to complete the update or reinstall the plugin.

Securing Older Versions of Joomla

sheild

One reason I’ve begun to prefer WordPress over Joomla is that WordPress has made the upgrade process so much easier than Joomla. To upgrade Joomla 1.x to 1.5, you have to use special tools and again if you go from 1.5 to 2 or version 3, be prepared for a different toolset and migration path.  Ugh!  Worse still, Joomla Extensions have become very version specific due to a lack of backwards compatibility. WordPress on the other hand allows one to simply put the new code in place, and so long as there is not a conflict with a Plugin, the code takes care of everything else for you, including updating the database.

Perhaps it is only because I haven’t tried to migrate a very customized WordPress site that I feel this way, or that my more complicated older sites are nearly all in Joomla.  So long as I keep a copy of the changes I’ve made to styles or any core files, I’m able to keep things up to date really quite easily with WordPress. As noted above, sometimes an entire system isn’t easy to replace though.  There are times a client has invested heavily into very specific Joomla module or tool — only to have these items not become readily available to the newest versions of Joomla. (I am not finding this to be true of WordPress Plugins — another reason to go with WordPress today.)  So the problem to deal with is securing older versions of Joomla that have known security issues.  What exactly can one do to make an older Joomla site more secure? Let’s take a look at securing Joomla.

Read more

Brute Force Attacks? Get “Better WP Security” for WordPress Security

Over the past several days, I’ve seen a great many news articles about a bot based brute force attack on WordPress (and Joomla) based websites where the bot uses common password choices and attempts to login with the username “admin.”  Mind you, we are talking about hundreds, perhaps thousands of these common passwords and coming from tens of thousands of compromised servers.  The effort being to gain access to the server and then use the administrator site to add other files and code changes which further compromise the use of the website completely. You really need some WordPress Security.

Having already written about other hacking effort increases of late, I am bothered that yet again these content management systems are being hit with what amounts to the use of wasted talent; hackers show intelligence and problem solving skills, why not put them to use in a way that doesn’t harm others?  Thankfully, the open source community is quick to respond and build tools needed to protect websites from such harmful efforts.

Bit51 - Better WP SecurityBetter WP Security from Bit51.com is an excellent add on to your WordPress website.  It was written long before this current wave of brute force attacks, and is something I would recommend all WordPress websites use from day one.  It relies on both htaccess changes for blocking known bots and other file changes that remove vulnerabilities outright and through obfuscation.

Here is a list of some of the things this tool does:

  • Enforces stricter passwords for users at any level you determine.
  • Removes the backend file editor.
  • Scans the site for recently changed files and emails a report to you if there are such intrusions.
  • Blocks repeated login attempts.
  • Blocks SQL injection attempts.
  • Makes backups of your database and mails them to you are regular intervals

This is open source work at its finest.  It is free to use, but the developer does provide a means of paying him for his work — which I’d highly recommend doing as this tool is really quite will constructed and extremely valuable.

 

Open Source Time Management Software – timeEdition is Perfect

timeEdition

For years I used TimeSlice on my Macintosh (it’s a cross-platform app though) for tracking my freelance hours.  It was simple, easy to setup for jobs and printed out a nice report for my clients to see.  However, it wasn’t open source.  It wasn’t expensive either, really, but I like the idea of using an OS app that I can contribute to if needed both in terms of feedback or code edits for improvement.  Having updated my version of Mac OS  somewhat recently, it was time to look for a good replacement.  I found something I think I’m coming to like even more than my trusty old TimeSlice app.  timeEdition.

This little app (and Dashboard widget if you are so inclined) does all I need it to do and more.  With it, I can setup clients, projects, tasks and the rates applied to each of these tasks.  The ability to specify a different rate for simpler tasks is something I valued a great deal in TimeSlice.  With TimeSlice, you had to have a file for each client – not so for timeEdition.  I can shift between clients and tasks in one simple (and small) interface.  See this screenshot provided by the developer –

timeEdition Version 4.x

Note that there are multiple windows shown here, but that’s just to give you the different color options really.  Note also that this app is cross-platform, too.  There’s a Macintosh, Windows and Linux version!  Very nicely done.

manage your projects with timeEditionAnother feature I found extremely useful is the ability to select where the database file and backup file one can create are stored on your computer.  I chose to put mine in a DropBox folder so that I could have assured backup and potentially do work on another machine if needed.  I had configured some clients, projects and tasks before changing my database location over though and these items were not automatically moved to the new location.  Beware of that.  It was a pretty simple process to find the default location and import my data into the new database, too, but that’s really the only complaint I can make about this very well laid out and simple tool.  The reporting is more than sufficient for my needs too.

If you are in need of a time logging tool, I highly recommend timeEdition.

 

Goodbye 1and1 Email, Hello Gmail

Google MailI’ve been with 1and1.com for hosting for many years and by and large have been happy with their services.  (Note, not necessarily their service, but their services.)  One thing that 1and1 had always done well was spam filtering.  Until recently that is.

Either they  have changed their real time blacklists, had a few points of failure or spammers are simply getting better — maybe all of the above, simply put, the amount of spam I was receiving on an hourly basis was greater than my legitimate email.  I contacted 1and1’s support staff on multiple occasions, tried different settings and such, but was still getting about 20-30 spam messages in my inbox every day.  Something had to be done to keep my email clean and return it to be a useful tool.

Spam adds up to lost time very quickly for me.  I check mail often at work and like to be able to respond in a very timely fashion to requests, issues, and such.  Spam makes me not want to check my personal email but every hour instead of continuously.  So many times the email notifications would be for nothing worthwhile at all.  Worse, I was losing legit email in the midst of all of this garbage, too.

I didn’t give up on getting email under control even though 1and1 wasn’t able to resolve the issues.  Instead, I decided to use Gmail; my domain’s email is now managed via Gmail’s Business Apps program.  Given I only need about 4 email accounts, I’m also able to get by with the free version.  I know other people who use all of the Google App features, but for me, getting a handle on spam is worth it all by itself.

 

UPDATE: As of November 2012, Google has stopped offering this free version.  We were very lucky to be grandfathered into the free setup.  If you’re having trouble with spam, the $5 per box per month charge is still a great deal in our view.

WP Hashcash – Powerful Anti-Spam Plugin for WordPress

WordPress is not new to me, but I haven’t been a ‘constant user’ until recently.  My favorite content management tool and site creation software has long been Joomla! and still is for most sites I build or work on.  However, there are times that WordPress is simply the ideal choice — especially if the site’s main purpose is to be a blog, like this one is now.  Thus my switch to WordPress for my own use; I need to eat my own dog food, so to speak.

One aspect of hosting a blog site, especially one running on a popular open source platform such as WordPress, is dealing with spammers.  This isn’t because the open source software is somehow more vulnerable to such attacks, as I actually think the opposite, but more because hackers are going to develop automated scripts that will work with the largest segment that the they can.  WordPress is very popular and thus a bigger target.

Cutting down or eliminating spam can be a major chore for anyone.  Fortunately, there are several tools available that help filter out the spam from the legitimate comments submitted.  Here are two that I have found to work extremely well and am using on several websites.

  • Akismet – This is a WordPress standard and while far from perfect, a very useful tool to use.  It will help identify a great deal of the spam messages that come your way.
  • WP Hashcash – A client side JavaScript tool that does an excellent job of blocking spam bots.

It’s WP Hashcash in conjunction with Akismet that really works well.  You can have WP Hashcash kick out the obvious spam it finds and then have the rest moderated by Akismet.  WP Hashcash works on a simple principle that automated spam is not going to be entered by a human in a browser.  Most spam bots aren’t going to have JavaScript enabled, and fewer still are going to use a real form submission from a browser; their spam bot will be an automated affair.  WP Hashcash detects this and flags the comment (or trackback) as spam.  Brillent!